Are java security issues mainly with code jumping out of the 'security manager' or are there other serious security concerns to be aware of?

Do you think it will take years to find all of the bugs in Java that create vulnerabilities similar to C? This is because of course since the C programming language is notorious for its buffer overflows.

Thanks for reading this enormous post of words in your sure to be busy days. I am glad the book is only three-hundred something pages so I can do other things with my tiny life.

This book seems very interesting and very relevant in light of all the vulnerabilities with Java and OS-X, will the book address any of these issues? This link describes what I am referring to. It is an article on ZDNet describing Java 7 OS-X Vulnerabilities

Are java security issues mainly with code jumping out of the 'security manager' or are there other serious security concerns to be aware of?

You will want to look at guideline 18 in the new book, entitled "Do not expose methods that use reduced-security checks to untrusted code". It describes why malicious code was able to jump out of the security sandbox. There were a large family of vulnerabilities of this form discovered in the last year. All of the "critical" Java vulnerabilities you have read lately were caused by malicious code jumping out of a sandbox.

There are many other security concerns, and they are covered by the rest of the book. Some of them contributed to the recent exploits (an exploit can and often does utilize multiple vulnerabilities).

Do you think it will take years to find all of the bugs in Java that create vulnerabilities similar to C? This is because of course since the C programming language is notorious for its buffer overflows.

It will take time, but the problem is different in Java than C. The 'severe' Java vulnerabilities came mostly from the core library, and that is Oracle's responsibility...they have a big cleanup task to do. While you yourself can build vulnerable code we haven't seen much vulnerable code being exploited that is *not* part of core Java. Contrast this to C where anyone can build code with buffer overflows (or other problems). To summarize, cleaning up C is a big task for every C programmer, cleaning up Java is a big task for Oracle.

Wow, thank-you for the awesome response. I am going to have to find some time to read this book. Also, that is very interesting that all the problems are in the classes that come with the jdk and not written by java programmers.

Thank-you again for the response. This is cool. I hope the random matching tool picks my post and I get the free book!